What's new in Defender for Cloud recommendations and alerts
This article summarizes what's new in security recommendations and alerts in Microsoft Defender for Cloud. It includes information about new, modified, and deprecated recommendations and alerts.
This page is updated frequently with the latest recommendations and alerts in Defender for Cloud.
Find the latest information about new and updated Defender for Cloud features in What's new in Defender for Cloud features.
Find items older than six months in the What's new archive.
Tip
Get notified when this page is updated by copying and pasting the following URL into your feed reader:
https://aka.ms/mdc/rss-recommendations-alerts
- Review a complete list of multicloud security recommendations and alerts:
Recommendations and alert updates
New and updated recommendations and alerts are added to the table in date order.
| Date | Type | State | Name |
|---|---|---|---|
| June 28 | Recommendation | GA | Azure DevOps repositories should require minimum two-reviewer approval for code pushes |
| June 28 | Recommendation | GA | Azure DevOps repositories should not allow requestors to approve their own Pull Requests |
| June 28 | Recommendation | GA | [GitHub organizations should not make action secrets accessible to all repositories](recommendations-reference-devops.md#github-organizations-should-not-make-action-secrets-accessible-to-all repositories) |
| June 27 | Alert | Deprecation | Security incident detected suspicious source IP activitySeverity: Medium/High |
| June 27 | Alert | Deprecation | Security incident detected on multiple resourcesSeverity: Medium/High |
| June 27 | Alert | Deprecation | Security incident detected compromised machineSeverity: Medium/High |
| June 27 | Alert | Deprecation | Security incident detected suspicious virtual machines activitySeverity: Medium/High |
| May 30 | Recommendation | GA | Linux virtual machines should enable Azure Disk Encryption (ADE) or EncryptionAtHost. Assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0 |
| May 30 | Recommendation | GA | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af |
| May 28 | Recommendation | GA | Machine should be configured securely (powered by MDVM) |
| May 1 | Recommendation | Upcoming deprecation | System updates should be installed on your machines. Estimated deprecation: July 2024. |
| May 1 | Recommendation | Upcoming deprecation | System updates on virtual machine scale sets should be installed. Estimated deprecation: July 2024. |
| May 1 | Recommendation | Upcoming deprecation | Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines Estimated deprecation: July 2024 |
| May 1 | Recommendation | Upcoming deprecation | Log Analytics agent should be installed on virtual machine scale sets Estimated deprecation: July 2024 |
| May 1 | Recommendation | Upcoming deprecation | Auto provisioning of the Log Analytics agent should be enabled on subscriptions Estimated deprecation: July 2024 |
| May 1 | Recommendation | Upcoming deprecation | Log Analytics agent should be installed on virtual machines Estimated deprecation: July 2024 |
| May 1 | Recommendation | Upcoming deprecation | Adaptive application controls for defining safe applications should be enabled on your machines Estimated deprecation: July 2024 |
| April 18 | Alert | Deprecation | Fileless attack toolkit detected (VM_FilelessAttackToolkit.Windows)Fileless attack technique detected (VM_FilelessAttackTechnique.Windows)Fileless attack behavior detected (VM_FilelessAttackBehavior.Windows)Fileless Attack Toolkit Detected (VM_FilelessAttackToolkit.Linux)Fileless Attack Technique Detected (VM_FilelessAttackTechnique.Linux)Fileless Attack Behavior Detected (VM_FilelessAttackBehavior.Linux)Fileless attack alerts for Windows and Linux VMs will be discontinued. Instead, alerts will be generated by Defender for Endpoint. If you already have the Defender for Endpoint integration enabled in Defender for Servers, there's no action required on your part. In May 2024 you might experience a decrease in your alerts volume, but still remain protected. If you don't currently have integration enabled, enable it to maintain and improve alert coverage. All Defender for Server customers can access the full value of Defender for Endpoint's integration at no additional cost. Learn more. |
| April 3 | Recommendation | Upcoming deprecation | Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources Estimated deprecation date: May 2024. |
| April 3 | Recommendation | Preview | Container images in Azure registry should have vulnerability findings resolved (Preview) |
| April 3 | Recommendation | Preview | Containers running in Azure should have vulnerability findings resolved (Preview) |
| April 3 | Recommendation | Preview | Container images in AWS registry should have vulnerability findings resolved (Preview) |
| April 3 | Recommendation | Preview | Containers running in AWS should have vulnerability findings resolved (Preview) |
| April 3 | Recommendation | Preview | Container images in GCP registry should have vulnerability findings resolved (Preview) |
| April 3 | Recommendation | Preview | Containers running in GCP should have vulnerability findings resolved (Preview) |
| April 2 | Recommendation | Upcoming deprecation | Virtual machines should be migrated to new Azure Resource Manager resourcesThe. There's no effect since these resources no longer exist. Estimated date: July 30, 2024 |
| April 2 | Recommendation | Update | Azure AI Services should restrict network access. |
| April 2 | Recommendation | Update | Azure AI Services should have key access disabled (disable local authentication). |
| April 2 | Recommendation | Update | Diagnostic logs in Azure AI services resources should be enabled. |
| April 2 | Recommendation | Deprecation | Public network access should be disabled for Cognitive Services accounts. |
| April 2 | Recommendation | GA | Azure registry container images should have vulnerabilities resolved |
| April 2 | Recommendation | Deprecation | Public network access should be disabled for Cognitive Services accounts |
| April 2 | Recommendation | GA | Azure running container images should have vulnerabilities resolved |
| April 2 | Recommendation | GA | AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) |
| April 2 | Recommendation | GA | AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) |
| April 2 | Recommendation | GA | GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) |
| April 2 | Recommendation | GA | GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) |
| March 28 | Recommendation | Upcoming | Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0) |
| March 28 | Recommendation | Upcoming | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af) Unified disk encryption recommendations will be available for GA in the Azure public cloud in April 2024, replacing the recommendation "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources." |
| March 18 | Recommendation | GA | EDR solution should be installed on virtual machines |
| March 18 | Recommendation | GA | EDR configuration issues should be resolved on virtual machines |
| March 18 | Recommendation | GA | EDR configuration issues should be resolved on EC2s |
| March 18 | Recommendation | GA | [EDR solution should be installed on EC2s] |
| March 18 | Recommendation | GA | EDR configuration issues should be resolved on GCP virtual machines |
| March 18 | Recommendation | GA | EDR solution should be installed on GCP virtual machines |
| End March | Recommendation | Deprecation | Endpoint protection should be installed on machines . |
| End March | Recommendation | Deprecation | Endpoint protection health issues on machines should be resolved |
| March 5 | Recommendation | Deprecation | Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) |
| March 5 | Recommendation | Deprecation | Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI) |
| February 20 | Recommendation | Upcoming | Azure AI Services resources should restrict network access |
| February 20 | Recommendation | Upcoming | Azure AI Services resources should have key access disabled (disable local authentication) |
| February 12 | Recommendation | Deprecation | Public network access should be disabled for Cognitive Services accounts. Estimated deprecation: March 14 2024 |
| February 8 | Recommendation | Preview | (Preview) Azure Stack HCI servers should meet secured-core requirements |
| February 8 | Recommendation | Preview | (Preview) Azure Stack HCI servers should have consistently enforced application control policies |
| February 8 | Recommendation | Preview | (Preview) Azure Stack HCI systems should have encrypted volumes |
| February 8 | Recommendation | Preview | (Preview) Host and VM networking should be protected on Azure Stack HCI systems |
| February 1 | Recommendation | Upcoming | EDR solution should be installed on virtual machines EDR configuration issues should be resolved on virtual machines EDR solution should be installed on EC2s EDR configuration issues should be resolved on EC2s EDR configuration issues should be resolved on GCP virtual machines EDR solution should be installed on GCP virtual machines. |
| January 25 | Alert (Container) | Deprecation | Anomalous pod deployment (Preview) (K8S_AnomalousPodDeployment) |
| January 25 | Alert (Container) | Deprecation | Excessive role permissions assigned in Kubernetes cluster (Preview) (K8S_ServiceAcountPermissionAnomaly) |
| January 25 | Alert (Container) | Deprecation | Anomalous access to Kubernetes secret (Preview) (K8S_AnomalousSecretAccess) |
| January 25 | Alert (Windows machines) | Update to informational | Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlWindowsViolationAudited) |
| January 25 | Alert (Windows machines) | Update to informational | Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlLinuxViolationAudited) |
| January 25 | Alert (Container) | Update to informational | Attempt to create a new Linux namespace from a container detected (K8S.NODE_NamespaceCreation) |
| January 25 | Alert (Container) | Update to informational | Attempt to stop apt-daily-upgrade.timer service detected (K8S.NODE_TimerServiceDisabled) |
| January 25 | Alert (Container) | Update to informational | Command within a container running with high privileges (K8S.NODE_PrivilegedExecutionInContainer) |
| January 25 | Alert (Container) | Update to informational | Container running in privileged mode (K8S.NODE_PrivilegedContainerArtifacts) |
| January 25 | Alert (Container) | Update to informational | Container with a sensitive volume mount detected (K8S_SensitiveMount) |
| January 25 | Alert (Container) | Update to informational | Creation of admission webhook configuration detected (K8S_AdmissionController) |
| January 25 | Alert (Container) | Update to informational | Detected suspicious file download (K8S.NODE_SuspectDownloadArtifacts) |
| January 25 | Alert (Container) | Update to informational | Docker build operation detected on a Kubernetes node (K8S.NODE_ImageBuildOnNode) |
| January 25 | Alert (Container) | Update to informational | New container in the kube-system namespace detected (K8S_KubeSystemContainer) |
| January 25 | Alert (Container) | Update to informational | New high privileges role detected (K8S_HighPrivilegesRole) |
| January 25 | Alert (Container) | Update to informational | Privileged container detected (K8S_PrivilegedContainer) |
| January 25 | Alert (Container) | Update to informational | Process seen accessing the SSH authorized keys file in an unusual way (K8S.NODE_SshKeyAccess) |
| January 25 | Alert (Container) | Update to informational | Role binding to the cluster-admin role detected (K8S_ClusterAdminBinding) |
| January 25 | Alert (Container) | Update to informational | SSH server is running inside a container (K8S.NODE_ContainerSSH) |
| January 25 | Alert (DNS) | Update to informational | Communication with suspicious algorithmically generated domain (AzureDNS_DomainGenerationAlgorithm) |
| January 25 | Alert (DNS) | Update to informational | Communication with suspicious algorithmically generated domain (DNS_DomainGenerationAlgorithm) |
| January 25 | Alert (DNS) | Update to informational | Communication with suspicious random domain name (Preview) (DNS_RandomizedDomain) |
| January 25 | Alert (DNS) | Update to informational | Communication with suspicious random domain name (AzureDNS_RandomizedDomain) |
| January 25 | Alert (DNS) | Update to informational | Communication with possible phishing domain (AzureDNS_PhishingDomain) |
| January 25 | Alert (DNS) | Update to informational | Communication with possible phishing domain (Preview) (DNS_PhishingDomain) |
| January 25 | Alert (Azure App Service) | Update to informational | NMap scanning detected (AppServices_Nmap) |
| January 25 | Alert (Azure App Service) | Update to informational | Suspicious User Agent detected (AppServices_UserAgentInjection) |
| January 25 | Alert (Azure network layer) | Update to informational | Possible incoming SMTP brute force attempts detected (Generic_Incoming_BF_OneToOne) |
| January 25 | Alert (Azure network layer) | Update to informational | Traffic detected from IP addresses recommended for blocking (Network_TrafficFromUnrecommendedIP) |
| January 25 | Alert (Azure Resource Manager) | Update to informational | Privileged custom role created for your subscription in a suspicious way (Preview)(ARM_PrivilegedRoleDefinitionCreation) |
| January 4 | Recommendation | Preview | Cognitive Services accounts should have local authentication methods disabled Microsoft Cloud Security Benchmark |
| January 4 | Recommendation preview | Cognitive Services should use private link Microsoft Cloud Security Benchmark |
|
| January 4 | Recommendation | Preview | Virtual machines and virtual machine scale sets should have encryption at host enabled Microsoft Cloud Security Benchmark |
| January 4 | Recommendation | Preview | Azure Cosmos DB should disable public network access Microsoft Cloud Security Benchmark |
| January 4 | Recommendation | Preview | Cosmos DB accounts should use private link Microsoft Cloud Security Benchmark |
| January 4 | Recommendation | Preview | VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users Microsoft Cloud Security Benchmark |
| January 4 | Recommendation | Preview | Azure SQL Database should be running TLS version 1.2 or newer Microsoft Cloud Security Benchmark |
| January 4 | Recommendation | Preview | Azure SQL Managed Instances should disable public network access Microsoft Cloud Security Benchmark |
| January 4 | Recommendation | Preview | Storage accounts should prevent shared key access Microsoft Cloud Security Benchmark |
| December 14 | Recommendation | Preview | Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management. |
| December 14 | Recommendation | GA | Azure running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management. |
| December 14 | Recommendation | Rename | New: Azure registry container images should have vulnerabilities resolved (powered by Qualys). Vulnerability assessment for container images using Qualys. Old: Container registry images should have vulnerability findings resolved (powered by Qualys) |
| December 14 | Recommendation | Rename | New: Azure running container images should have vulnerabilities resolved - (powered by Qualys) Vulnerability assessment for container images using Qualys. Old: Running container images should have vulnerability findings resolved (powered by Qualys) |
| December 4 | Alert | Preview | Malicious blob was downloaded from a storage account (Preview)MITRE tactics: Lateral movement |
Related content
For information about new features, see What's new in Defender for Cloud features.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for